Slashdot Mirror

← Back to Stories (view on slashdot.org)

13 New Windows Security Vunerabilities

Posted by CowboyNeal on from the focused-on-security dept.

Petree writes "Microsoft has given advance notice that on February 8th, they will be releasing patches for 13 vunerabilities. Happily a day later they'll have a nice little webcast so answer questions about the vunerabilities. Windows users, don't forget to run WindowsUpdate first thing Monday morning."

14 of 410 comments (clear)

  1. Why? by Sophrosyne · · Score: 4, Interesting

    Can't they roll them into one cumulative security update?

    1. Re:Why? by amberp · · Score: 2, Interesting

      for 2 reasons
      1. There are too many (known and unknown) of vunerabilities.
      2. Even the known ones are too much to be fixed for various reasons.

    2. Re:Why? by totoanihilation · · Score: 2, Interesting

      Every time I visit family, I make it a point to bring all the updates they could possibly need for their computer. (That, and bringing along new versions of firefox). It's a pain trying to figure out which updates they have, and which ones they don't and I end up spending an hour locating them all.
      Unfortunately, most of those I visit don't have broadband, so downloading 200 megs from WU doesn't work.

      On the other side of the fence, MacOSX updates always have a Combo version containing ALL previous updates, which I find wonderful for quick deployment and updates of multiple systems. When installing a new system, for example, I run my install CDs, then run the one updater. Done. On windoze, I run the installer, have to install hundreds of updates OR run WU several times in a row to make sure the system is patched.

      Anyways. I guess what I'm trying to say is that it wouldn't be too hard to write a script (at M$) that would add every new update to a Combo update (similarly to how you add a file to a tar file) and a special installer to handle it all without user intervention. So why don't they do it? It's not like they lack the money to hire some student to write it in a weekend...

  2. At least they are actively patching... by jmcmunn · · Score: 5, Interesting


    Come on Slashdot, at least they are actively fixing their shit. You all bad mouth them for not fixing stuff fast enough, and then when they announce they are releasing a patch you try to find some way to bad mouth them for that?

    We're all bored of hearing how much people hate MS here...we KNOW you don't like them. Just leave it at that, and instead of reading and posting 600 replies here about how they suck, have some sort of intelligent conversation instead.

    1. Re:At least they are actively patching... by DarkVader · · Score: 3, Interesting

      Hmm... I think I might even sue the lock manufacturer. If I've bought a new lock that's been advertised to keep the burglar out, and he goes in by breaking the lock, I've even got a case.

      Now, if I buy a lock that is known to be defective, I don't have a case - I should have known better.

      But I can still be annoyed that the lock manufacturer makes garbage locks.

      Or I can just use another company's locks. That's the problem with Microsoft, they have so much of the market that many people are stuck using their locks, even when they know they're garbage. Me, I'll stick with Macintosh and Linux.

    2. Re:At least they are actively patching... by jmcmunn · · Score: 2, Interesting


      Well, Microsoft could take the stance of creating the "bullet proof" OS which allows you to run only the software that comes preinstalled, and only stuff that they have tested and debugged...that's about the only way they could "guarantee" their product to be bug free. (of course even linux users would never claim to be totally bug free)

      But you know what? That wouldn't be a very useful machine to anyone. The beauty of an OS is that it can run programs that you install (or even write) after the fact. You want the "Fort Knox" of machines? Run BartPE, or a Linux LiveCD or something. You want a functional OS, that can run all kinds of software and actually evolve over time, run Windows (or linux for all I care, or Mac). The point is, they do their best to keep up with the changing world, and fix bugs as well as they can in a timely fashion most of the time.

      You have to realize that a lot of bugs and security problems are found in the OS due to bad code in the apps that people have written. (or good code, depending on who you are) So MS reacts to the new ways that people find to break in. You think cars always had LoJack, or GPS tracking, or security alarms? NO. Security is an ongoing fight, not just in the computer industry. The "criminals" will constantly find new ways to break in, and the "good guys" keep on trying new ways to keep them out. So step back and relax, and remember the good old days when no one had to worry about hackers on the internet, then remember that in those days you also dialed in on a 19.2 Baud modem, and it sucked ass. We've come a long wya, and things are getting better...

  3. KB891711 killed my 2003 server by Anonymous Coward · · Score: 1, Interesting

    I turn all automatic updates off since that disaster. This patched user32.dll and after application, my 2003 box does a continous reboot. Removing the patch fails to restore functionality.I had to retore from a drive image to get back running. I'm running 2003 as a desktop, so I don't fit the average testing profile, but it is unacceptable to have a patch completely depants my workstation.

  4. Re:Damnit by Anonymous Coward · · Score: 1, Interesting

    Haha, that's a good one. I see you've never had a real IT job before. You can send two company-wide emails and pass out flyers, and maybe 30% of the users will be informed (or remember what you told them) when the time comes. But, it was a lovely and fantastically unrealistic thought.

  5. The sad reality of this is: by dariyam · · Score: 2, Interesting

    The people that actually keep up with these updates are the same people that use McCaffee and that enable encryption on their WIFI routers; they are the slightly-savvy citizens of the Microsoft community, and are a minority--and are probably already protected from these exploits beforehand, by some third-party software somewhere. While everyone else, that doesn't have the time or know-how to protect their PCs are the ones getting hurt the worst by these vulnerabilities. I think updates should be forced by this Operating System, kind of like how AOL back in the 90's wouldn't let you sign off a session and release your modem till you had downloaded their damn updates (which I am--even till today-- convinced were ad-packs).

  6. WOW, Censorship is alive and well here by FunWithHeadlines · · Score: 2, Interesting
    Say anything negative against Microsoft nowadays, except in the meekest of manners, and you get modded to oblivion. What I wrote is 100% true, done in a humorous way, and the last sentence is optional but highly recommended. Anyone who doesn't know by now that Windows is the least secure OS out there gets what they deserve.

    You can suppress what I'm saying, but not the reality of what I said.

  7. Re:PC Benchwarming by jwcorder · · Score: 2, Interesting
    What in the hell are you talking about? It's been at least 2 years since we have had a patch crash our machine here on a 5000 workstation environment.

    Not the mention that SP2 works great unless you happen to be running a in house application that was coded in basic back in 1942. Then you will have some problems. I have it running on about 10 workstations and I have had no problems except for once when I rolled back the install and corrupted a file. The only reason we haven't deployed it to all 5000 of our machines is that the firewall in SP2 does not allow remote control from the version of SMS we run in this environment. Once we get the new SMS version on the server, all workstations in this environment will be upgraded

    I am so sick of this crap. Sure MS is evil, but get over it. They are not the devil. Foosball is the devil!

    Seriously, I will be one of the first to get my patches on Tuesday morning....

    --
    http://jayceecorder.blogspot.com
  8. Re:Booooring... by chris_mahan · · Score: 2, Interesting

    What I want to know is this:

    Are the holes real?

    (I mean, I know there are so many holes in windows the swiss cheese manufacturing association is suing)

    Since the great unwashed masses are going to buy windows. (They are, trust me) and Microsoft, knowing this, wants to boost sales.

    They announce, in this order:

    A) We don't support windows 2000, 98, ME, for new vulnerablities, you need XP sp2.

    B) We are not going to provide windows updates to non-legal installations of the software.

    C) There are now lots and lots of holes in all the software, so unless you buy a windows XP sp2 license, you will NOT be protected, and all the hackers will steal ALL your credit card, health, and skeleton-in-closets information. Buy now!

    D) Profit! (Announce best quarterly profit in years (oh, done that already)).

    They are banking on people's laziness and fear. And they are not the first.

    They are pointing the finger at the hacker, not at their own lack of software engineering skills. And Jow Sixpack is going to follow that line of reasoning. How could he not? He IS Joe Sixpack after all. So they look like they're standing up to the shadowy underworld of cyberspace on behalf of mom and pop, and mom and pop happily buy their wintel boxen.

    I say crackers need to lay low and not attack windows for about 1 year, and take a break. Since there won't be any bad things killing machines, people will be happy running their 4 year old windows ME, or that corporate windows 2000 pro from "a friend", and microsoft will have a really bad quarter. or two. And that will prompt leadership changes. And once that happens, then crackers can do whatever they want.

    I also want to point out that firefox had better get a foundation going with a couple of heavies in it, otherwise some corp is going to hire the lead guys out of the project. Can you say Google?

    As far as google: they should not be too keen to diversify. They can make a lot more money in search and custom-profiled advertisement. It's an undertapped market. They don't need to make enemies right now.

    On Sun, and that means you Jonathan, (tim, tell him), get people involved in the grid computing by providing free accounts for hackers and FOSS people. These people really influence their corporate PHBs. I know if I use it and love it, then I don't mind telling my boss and his boss that anything less is Mickey Mouse. And I'm fast becoming the leading enterprise J2EE developer at my place of business. But I ain't gonna spring 8760USD per annum to find out if it's any good.

    Microsoft: Make gaming software for linux. You will nearly redeem yourself. Donate some money (not software) to some foss foundations, no strings attached.

    --

    "Piter, too, is dead."

  9. Re:The problem with windows is by ledow · · Score: 4, Interesting

    I have to agree with CastrTroy here... I run 98SE for the exact reason he has stated. I provide tech support to 6 different schools in my area and I'm having to turn new job offers down because I just don't have enough hours in the week to do them.

    Everyone is surprised that I run 98 but, especially now, I know the problems that it has and I have systems in place to stop them. I know it crashes a lot but I also know how to fix it. I've never lost a windows 95/98/me installation yet. However, the XP and 2K machines that I support will lock into all sorts of reboot loops and cryptic stop messages that I can nothing about but restore from backup.

    The schools I work for were stung big-time by things like Sasser, they were taken completely off-guard and all reached a critical state within a few days when not one of their PC's would stay up for more than a few minutes.

    Because of my setup and because of the way that viruses are now only targeting the new vulnerabilities, I'm pretty safe. I've NEVER, repeat NEVER, had a virus on any computer that I own and for many years didn't even bother with an antivirus.

    Nowadays, the only reason I have antivirus is so that I can scan emails from people who forward me crap and ask "is this a virus/trojan etc?". Most of the time, it's a yes before I even bother to scan it.

    Virus writers are not targetting me, they'd have a very hard time if they did because I'm not stupid.
    My IE is up-to-date and never used, because I realised many years ago what a mistake it is to use it. IE is installed purely for Windows Update.

    I have people who I support who are still happily running 98, even 95, some of whom are years behind on updates and they don't have a problem because they are educated, firewalled, know what not to do and have established measures in place, have had for years.

    Only the 2000/XP computers that I support have problems with such junk because, like Sasser, there was little a user could do to prevent it as it came out of the blue. That's what 98 was like many years ago but we've since established a routine that prevents that.

    There is NOTHING WRONG with running an older Windows OS, even an out-of-date, not-updated OS. Sure, I wouldn't use it as a server but then I wouldn't use Windows as a server given half a choice, precisely because of it's many problems.

    Windows "automatic update" has screwed up many a machine that I support, and given all sorts of weird problems becuase of it installing crap and hogging internet connections.

    Windows 98 works for me, does everything I need to, is blindingly fast (but you don't notice that until you use it after using XP), behind a suitable set of protective measures is as safe as a Windows 2000/XP machine behind the same measures, easy to recover and suffers less problems overall.

    Experiment for the adventurous: Get a Windows 3.1 box, install TCP/IP and put it on the net. Wait for it to be compromised. Perform similar action on XP/2K, even with latest updates.

    One of my firewalls is still running a Linux 2.0 kernel because it's simple, safe, and works. Old decrepid. Old = tried and tested.

    Ask NASA why they won't put a Intel with XP controlling the space shuttle. Now ask them why they would use a Z80 with something like CP/M or Unix.

  10. Re:Booooring... by Too+Much+Noise · · Score: 3, Interesting
    Attempting to draw sort of a line between "OS" and "irregular tools":

    [DSA 664-1] New cpio packages fix insecure file permissions
    It has been discovered, that cpio, a program to manage archives of files, creates output files with -O and -F with broken permissions due to a reset zero umask which allows local users to read or overwrite those files.
    Annoying, but hardly "critical"

    *[DSA 659-1] New libpam-radius-auth packages fix several vulnerabilities
    This is actually a mixed bag.
    The Debian package accidently installed its configuration file /etc/pam_radius_auth.conf world-readable.
    rather embarassing, but Deb-specific.
    Leon Juranic discoverd an integer underflow in the mod_auth_radius module for Apache which is also present in libpam-radius-auth.
    more general, indeed.

    and even (assuming a KDE desktop):
    [DSA 660-1] New kdebase packages fix authentication bypass
    Raphaël Enrici discovered that the KDE screensaver can crash under certain local circumstances. This can be exploited by an attacker with physical access to the workstation to take over the desktop session.
    This problem has been fixed upstream in KDE 3.0.5 and is thereforefixed in the unstable (sid) and testing (sarge) distributions already.


    The rest are additional packages installed on a per-need basis. You don't argue MSSQL vulnerabilities are Windows vulnerabilities, do you? Or those of the compiler? (f2c indeed - that must be highly critical for home users)

    Contrast this with the Windows anouncement where the 10 vulns affecting the OS are rated Critical.